Users accessing internet via Cloud SWG using SEP Cloud and Access Protection tunnelled clients.
SAC integration with Cloud SWG enabled, and segment based applications configured.
Cloud SWG authentication uses SAML with ADFS IDP server, but the SAC authentication is setup using LDAP - which is not a documented use case. The reason it was tried was to avoid SCIM, which Okta and Azure required but which ADFS does not support natively.
When access SAC segment based Applications after authenticating to the IDP server successfully, using the IP address to rule out any DNS errors, they get the following error:
ADFS IDP server.
SAC with Cloud SWG integration.
Segment based Applications.
User mismatch between Cloud SWG and SAC environments.
Make sure that the SAML generated name identifier matches the LDAP username format that SAC assigned to segment based policies.
The user authenticated to the ADFS IDP server and the name identifier sent across was BCOM\user1; the user on the SAC side was [email protected].
Changing the name identifier value on ADFS (NameId) to send the mail attribute from ADFS instead of the UPN, so that it matches the SAC username format, fixed the issue.
NOTE: It is recommended that both SAC and Cloud SWG use SAML and point to the same SAML IDP server.
SAC Forensic logs can log the username format consumed by SAC. Looking at these logs can give you an idea of what is expected.
WSS Agent UI shows username format in the username field.